Blue Screen Mayhem: When CrowdStrike's Glitch Became Threat Actor's Playground

July 29, 2024

In the ever-evolving landscape of cybersecurity, even the smallest hiccup can create ripples that turn into tsunamis. The recent Blue Screen of Death (BSOD) outage at Microsoft, caused by a compatibility issue with CrowdStrike, was just such an event. But as we've learned time and time again, where there's chaos, there are opportunists waiting to pounce.

As if managing a major outage wasn't challenging enough, three separate malware campaigns surfaced, exploiting this catastrophe through phishing websites and emails. Apart from these, various CrowdStrike domains have been created for malicious intent; a list of a few domains can be found in the end section.

Figure: Overview of Campaigns Taking Advantage of Microsoft CrowdStrike Outage

Campaign 1: Fake Updates with RemCos RAT

One concerning strategy involved the distribution of misleading updates. Threat actors circulated ZIP files named "crowdstrike-hotfix.zip," ostensibly offering a solution to the BSOD problem. However, these files actually contained the RemCos Remote Access Trojan (RAT), which enables unauthorized remote access to affected systems, potentially leading to data breaches.

In one instance, a phishing website impersonating BBVA bank was used to distribute this malicious ZIP file. When downloaded and run, the file activated HijackLoader, which subsequently installed the RemCos RAT. This case demonstrates how attackers took advantage of the situation to compromise systems by posing as providers of crucial updates.

For intel on the RemCos RAT and HijackLoader, visit Loginsoft's threat profiles: 

Campaign 2: Daolpu Stealer via Fake Microsoft Recovery Manual

The threat actors behind the Daolpu Stealer delivered the malware via a Word document containing a malicious macro, disguised as a recovery manual. Once the Daolpu Stealer was executed, the following behavior was observed:

Sample: https://tria.ge/240722-q489ga1fnk

For more information about the Daolpu Stealer, visit: https://vi.loginsoft.com/threat-profiles/Daolpu-Malware-Campaign

Campaign 3: The Handala Hacking Hullabaloo

The Handala hacking group utilized the outage to further their political agenda. They claimed to have conducted a wiper malware attack targeting Israeli organizations, disguising it as a CrowdStrike update. This malware was designed to not only disrupt systems but also to permanently delete data, potentially causing significant damage.

This incident illustrates how certain groups may exploit widespread technical issues to carry out targeted attacks, combining cybersecurity threats with political motivations.

Threat Bites

table { border-collapse: collapse; width: 100%; margin: 20px 0; border-radius: 8px; font-family: 'Plus Jakarta Sans', sans-serif; /* Webflow-friendly font */ font-size: 14px; } th, td { padding: 20px 20px; border: 1px solid rgba(255, 255, 255, 0.2); text-align: left; } th { font-weight: bold; /* background-color: rgba(255, 255, 255, 0.12); */ background-color: rgb(26 49 63); color: #FFF; } tr:nth-child(odd) { background-color: rgba(0, 0, 0, 0.05); /* Added subtle banding for visual clarity */ }
Threat ActosTA544, APT 33, Handala
MalwaresHijackLoader, Remcos RAT, Daolpu Stealer
Targeted Country/RegionLatin America, Israel
Targeted IndustryBanks
First SeenJuly 2024
Last SeenJuly 2024
LOLBASCertutil.exe, Schtasks.exe
TelemetrySysmon, Security, PowerShell

Malicious Domains:

crowdstrike-bsod[.]co
crowdstrike-bsod[.]com
crowdstrike-fix[.]zip
crowdstrike-helpdesk[.]com
crowdstrike-out[.]com
crowdstrike[.]blue
crowdstrike[.]bot
crowdstrike[.]cam
crowdstrike[.]ee
crowdstrike[.]es
crowdstrike[.]fail
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrikebsod[.]co
crowdstrikebsod[.]com
crowdstrikebug[.]com
crowdstrikeclaim[.]com
crowdstrikeclaims[.]com

References:

Author:

Saharsh Agrawal

29, July 2024

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

BLOGS AND RESOURCES

Latest Articles

RansomHub Revealed: Threats, Tools, and Tactics

December 9, 2024

The Rise of INTERLOCK Ransomware

November 13, 2024

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

October 23, 2024